Apple blacklists older versions of Flash plugin due to security risk

Flash is the new Java. Or is that the other way around?

Just as it did with some versions of Java, Apple has now blocked older versions of Adobe's Flash plugin to protect Mac users from security risks. In a new support document posted to its website on Friday, Apple explained that it has already updated its plugin blocking tool built into Safari—users don't need to lift a finger.

"To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Adobe Flash Player," the company wrote.

In order to block older versions of Flash, Apple has updated its "Xprotect.plist" file so that any versions that come before the current one (version 11.6.602.171) cannot be used on a Mac. Users who have older versions of Flash installed will be greeted with an alert that says "Blocked plug-in," and Safari will prompt the user to update to a newer version. If you want to check which version of Flash you have installed right now, you can go to Adobe's website to get the version number and perform an update if necessary.

50 Reader Comments

I don't use a Mac (so maybe my ignorance shows through here), but is it possible some users are unable to update to the latest version (OS or hardware requirements and/or company policy) and are now left completely out in the cold?

As I understand it, XProtect, and the built-in blacklist is a feature of 10.7 and 10.8, so anything old enough to be incompatible with the update would also be too old for this feature. It could lock out people without admin rights, though (thanks Adobe!).

I don't use a Mac (so maybe my ignorance shows through here), but is it possible some users are unable to update to the latest version (OS or hardware requirements and/or company policy) and are now left completely out in the cold?

No. Adobe has an older version of Flash for users still on 10.4 and 10.5 and a normally updated version of Flash for 10.6 through 10.8.

I have decided that every year since the release of Windows XP, all the big tech companies have gotten together and bet on some random event. The loser of which had to become the year's Microsoft. Last year it was Adobe, this year it was Oracle.

I don't use a Mac (so maybe my ignorance shows through here), but is it possible some users are unable to update to the latest version (OS or hardware requirements and/or company policy) and are now left completely out in the cold?

Not sure if that is the case here, but being "left out in the cold" is better than being dumped on an iceberg surrounded by sharks.

If you have an old version of flash, you need to stop using it. No exceptions.

This, coupled with the fact that I rarely need flash for anything, is making me consider uninstalling flash. It's dying anyway, and will hopefully be replaced by HTML5, which, (I might be wrong here; feel free to correct me) should be somewhat easier to push updates, but also harder to 'stop using' like I would flash, as it is more widely used.

Very happy to see Apple adopting a proactive stance to security. Attention to detail makes them stand apart.

Its not that different from MSE in some ways. But I agree, blocking known bad plugins is a good thing. If you're an IT person that "needs" the plugin for something, you're probably good enough at using plutil to fixup the block list to know that you're vulnerable.

This is why chrome is my "flash" browser now. No plugin installed at the os, and I nuke the java plugin entirely. I'm learning clojure and use regular java stuff so won't remove it entirely, but don't need the internet browser plugins at all.

Hmmm, after the forced update, I had to double check that Adobe didn't overwrite my subversion of their Flash Cooke system; my user//Library/Preferences/Macromedia/Flash Player/ directory remains locked down (chmod 500) and the only addition was the addition of a file called version.txt, excellent!

As I understand it, XProtect, and the built-in blacklist is a feature of 10.7 and 10.8, so anything old enough to be incompatible with the update would also be too old for this feature. It could lock out people without admin rights, though (thanks Adobe!).

I don't use a Mac (so maybe my ignorance shows through here), but is it possible some users are unable to update to the latest version (OS or hardware requirements and/or company policy) and are now left completely out in the cold?

I want to be able to stop using Flash and Java. For the most part I manage. I have a VM that I put Java on for some work apps. Flash though is tough. It's still used in odd things I don't anticipate or have time to work around. The sooner Flash dies and HTML5 reigns, the easier it will be to avoid these glaring security issues.

I don't use a Mac (so maybe my ignorance shows through here), but is it possible some users are unable to update to the latest version (OS or hardware requirements and/or company policy) and are now left completely out in the cold?

Not sure if that is the case here, but being "left out in the cold" is better than being dumped on an iceberg surrounded by sharks.

If you have an old version of flash, you need to stop using it. No exceptions.

Not to poke holes in your analogy but I'd much much rather get eaten by sharks than freeze to death. :x

Don't Firefox users already have some sort of old plugin blocker? Or am I remembering wrong?

I know a few websites like YouTube won't play videos if your version of flash is too old.

Yes, not only old but even vulnerable, for example it warns me about the latest java version-

That's how I found out about the issue - by attempting to play a playlist in Youtube via Fluid and suddenly finding everything blocked. I launched Safari - same thing. The normal methods of Flash player updating didn't work so I spent over half an hour purging files and DL'ing two necessary updates (Flash and AIR [for Defender's Quest]).

I can't help but wonder what less knowledgeable Mac users would do when they find that Flash was automatically disabled. I'm expecting a frantic tweet from a friend any minute now and will have to open Skype to talk him through it

Well I'm happy to see that the majority of the comments here aren't going on one of those tangents about Apple being the evil guy here and so on and so forth. But then, like some pointed out, this is going to force people to buy new Macs. In the future, of course.

I don't use a Mac (so maybe my ignorance shows through here), but is it possible some users are unable to update to the latest version (OS or hardware requirements and/or company policy) and are now left completely out in the cold?

No. They would not be able to update OSX to the required version to disable old versions of flash. A simple example would people using OSX Leopard because they have a PPC processor.

This, coupled with the fact that I rarely need flash for anything, is making me consider uninstalling flash. It's dying anyway, and will hopefully be replaced by HTML5, which, (I might be wrong here; feel free to correct me) should be somewhat easier to push updates, but also harder to 'stop using' like I would flash, as it is more widely used.

I removed the Flash plugin from my machine so if a site insists on ONLY showing a video in Flash, I …

first, try invoking “User agent…iPad” from the optional Develop menu. This works most of the time.

next, select “Open Page with…Google Chrome” from the same menu. Google supplies Flash built in and doesn't use the standard plugins.

Or rather, most often realize that the video is probably a time-waster anyway, from a site with little accommodation of, or regard for, mobile and security-conscious users.

This allows me to keep dozens of pages open in Safari, since Flash was the most common cause of memory leaks leading to a crash while I had loaded up a bunch of pages for offline reading. (I fly a lot.) If Chrome crashes, it's small potatoes (except for the one time it interacted nastily with Exposé, bluescreening my entire set of windows).

Well I'm happy to see that the majority of the comments here aren't going on one of those tangents about Apple being the evil guy here and so on and so forth. But then, like some pointed out, this is going to force people to buy new Macs. In the future, of course.

Let me guess that some Arsians keep old Macs — PPCs and 32-bit X86 machines — for testing. But most of those are WELL over 5 years old and have more than paid for themselves at this point. They would be gawdawful slow for many activities, including the much heavier webpages that are the norm these days, where the protection would also be the most valuable.

I only use Flash on a website that connects people to young, happy Russian women that like old fat bald Americans and connects people to Nigerian billionaires that need help getting their money out of the country. I think it is broken, as it keeps asking me for my banking and credit card information.

I'm very happy to see that Apple have finally woken up and smelt the coffee and are starting to admit to their customers, albeit tacitly, than its not just Windows that is affected by malware.

I wonder if they'll eventually follow Microsoft's lead and ship OSx with built in security protection? iVirus? ;-))

Apple has included auto-updating anti-malware protection in OS X since Snow Leopard, known as XProtect. This was mentioned quite a few times already in the comments. In fact, the disabling of vulnerable versions of Java and Flash is handled courtesy of XProtect.

I'm still not exactly sure why people are still talking about Flash being evil and HTML5 being the future. Is this only because Apple decided to talk about it, and people feel better when they think they're fighting something "evil"? Sure, HTML5 is going to be the future, but a sucky one. The drawing APIs and the flexibility of Flash's AS rival those of HTML5. Sure, it may be a great thing for the consumers - everything you ever need is from the browser, not a plugin - but it's not as fun for the developers. Expect to see less interesting content in the near future.

I wonder if they'll eventually follow Microsoft's lead and ship OSx with built in security protection? iVirus?

Nope, they won't be including a virus scanner, if that's what you are talking about. Because the virus scanner model is only one way of achieving security, and a poor one at that. Virus scanners drain performance, introduce security vulnerabilities of their own (what fraction of malware apps are fake virus scanners?), and are fairly easy for malware makers to program around. Apple instead uses code signing coupled with their Xprotect blacklist mentioned previously. They also provide an optional, curated app store for the OS X platform.

I'm still not exactly sure why people are still talking about Flash being evil and HTML5 being the future. Is this only because Apple decided to talk about it, and people feel better when they think they're fighting something "evil"? Sure, HTML5 is going to be the future, but a sucky one. The drawing APIs and the flexibility of Flash's AS rival those of HTML5. Sure, it may be a great thing for the consumers - everything you ever need is from the browser, not a plugin - but it's not as fun for the developers. Expect to see less interesting content in the near future.

People were pretty sceptical when Apple first started talking about it, actually. The reason people are talking about it now is that flash has proven itself to be evil with one security flaw after another. Of course it helps that Apple has been able to focus media attention on flash's flaws- every time they block flash using Xprotect the news gets out and flash gets a black eye, whereas up until a couple years ago flash vulnerabilities would go unreported except in certain small circles. (Xprotect has also gone after Java, produced by longtime Apple ally Oracle, so it isn't an Apple vs. Adobe thing either.)

At this point, I think many people are ready to live with HTML's growing pains and current limitations then to keep risking their security with Flash.

Not to poke holes in your analogy but I'd much much rather get eaten by sharks than freeze to death. :x

I'd always heard that freezing to death was one of the better ways to go. You just get drowsy from hypothermia, then fall asleep and never wake up.

Not to mention the euphoria preceding that, sometimes accompanied by paradoxical undressing. Could be fun...

With the sharks there's some pain during the biting phase, after that it's all blood loss, which isn't too painful. You also have the satisfaction of knowing your death had meaning- you gave the sharks a nice day. So neither one would rank on a list of '10 worst deaths'.

People were pretty sceptical when Apple first started talking about it, actually. The reason people are talking about it now is that flash has proven itself to be evil with one security flaw after another. Of course it helps that Apple has been able to focus media attention on flash's flaws- every time they block flash using Xprotect the news gets out and flash gets a black eye, whereas up until a couple years ago flash vulnerabilities would go unreported except in certain small circles. (Xprotect has also gone after Java, produced by longtime Apple ally Oracle, so it isn't an Apple vs. Adobe thing either.)

At this point, I think many people are ready to live with HTML's growing pains and current limitations then to keep risking their security with Flash.

Ehh... I wouldn't still call it "evil". It's not like Flash is a monster with millions of tentacles probing your system!

Removing Flash doesn't necessarily mean that security is better. Hackers aren't going to twiddle their thumbs once Flash (or even Java) is gone. They'll start working on browser exploits, and then things will really get ugly.

I'm still not exactly sure why people are still talking about Flash being evil and HTML5 being the future. Is this only because Apple decided to talk about it, and people feel better when they think they're fighting something "evil"? Sure, HTML5 is going to be the future, but a sucky one. The drawing APIs and the flexibility of Flash's AS rival those of HTML5. Sure, it may be a great thing for the consumers - everything you ever need is from the browser, not a plugin - but it's not as fun for the developers. Expect to see less interesting content in the near future.

The evil security flaws are merely ONE manifestation of Adobe letting Flash slip out of its control.

Flash was, for example, the number one cause of Safari/Mac crashing (in many people's experience). I understand that Apple made it none too easy for Adobe, because as OSX matured, Apple made dramatic changes to the imaging model, but Adobe basically continued to “support” the platform at a lower, and buggier, level. Then Adobe howled its head off about iPhone not having Flash, but Adobe has NEVER come close to putting a proper Flash version on devices with as little RAM as the first couple of iPhones. (Only AFTER Brimelow's widely-known “screw you Apple” blog, did Jobs write his Thoughts on Flash that gave out too many sorta-tangential reasons why Apple had given up hope of having Flash on the iPhone, besides the impossibility of Apple guaranteeing it wouldn't be a blot on the whole, then-fragile ecosystem. By the time ½ or 1 GB of RAM became common on phones, Adobe had already thrown in the towel on claiming to support mobiles.)

Adobe's capitulation on mobile was done after an aborted claim to support “mobile first”—a claim that was most immediately followed by addition of 3G intrinsics that required brand new code for mobile that was never implemented, and the addition of a new standard codec to support perhaps 1% of web video. Adding new features when your codebase is already badly out of control, is perhaps the most damning thing you could say about Adobe's product management.

So I wouldn't dispute your claims about Flash out-performing HTML5 — as long as you insert the qualifier, “on paper” and “and maybe for the desktop.” But they're utterly irrelevant to mobile, which is racking up more than twice as many new users each quarter as there are Windows [X] renewals and new users. (Apple ALONE matched or out-sold all flavors of Windows combined last quarter.)

Adobe has admitted that they cannot manage the huge diversity of OS, hardware and graphics environments now that Windows / Mac no longer covers 99% of the user base. Too bad that Flash developers got abandoned by Adobe, but wishing that Adobe would choose to support the product isn't going to help. Don't waste your time impugning the shaky state of HTML5; direct your advice to San Jose to get cracking on Flash-like tools for the whole web.